Recent Carberp source code leak gave an opportunity for researchers to investigate the bootkit and other components of the Trojan. While everyone are looking at the source code of malicious parts, a security researcher has shown an interest in investigating the Panels source code.

Steven K, a security researcher from France, who is running the xylibox blog, has discovered a two security vulnerabilities in the Carberp's Panel - IP Spoofing and Remote Code Execution.

Remote Code Execution is one of the critical security bug that allows hackers to inject and execute commands in the vulnerable server.

Vulnerable code

Researcher found the "data" parameterer in the post request is vulnerable to Remote Code Execution vulnerability. He has also made a Proof-of-concept code to exploit the vulnerability.

He successfully exploited the bug and compromised the Database Username, password and Auth Key. The bug also allows you to run the "wget" command to download the backdoor.

The code apparently shows the cybercriminals who is behind the Carberp Trojan are not good in secure web application coding compared to Malware coding.